Provided by: argus-client_2.0.6.fixes.1-3_amd64 
NAME
ragator.conf - ragator flow model definitions.
COPYRIGHT
Copyright (c) 2000-2002 QoSient. All rights reserved.
SYNOPSIS
ragator.conf
DESCRIPTION
Programs that perform flexible aggregation of argus data, such as ragator(1) and
radium(8), can be configured to aggregate using arbitrary flow models. This configuration
file provides a syntax for flow matching and aggregation model assignments on a per flow
basis, allowing for highly flexible aggregation strategies on a single argus stream.
The configuration file is structured as a set of initialization variables, and then
followed by a collection of flow descriptors and model definitions. The concept is that
one identifies specific Argus Flow Activity Records through specification of an Argus flow
descriptor matching statement.
OPTIONS
The aggregation clients have a small number of options for controlling specific aspects of
aggregation function and output.
RAGATOR_MODEL_NAME
Ragator configurations can be named. This is important for ra* aggregation pprograms that
support multiple concurrent models at a time, so you can tell them apart. This is
completely optional.
RAGATOR_REPORT_AGGREGATION
Ragator, when it merges argus records together, adds a new aggregation metric to the
resulting record, which reports on the number of records that were merged together and
provides some additional statistical values that provide record arrival rates and mean
record durations. By setting this option to "no", you can have ragator() not provide this
metric. This is useful when creating full-duplex records from half-duplex merging
operations.
RAGATOR_REPORT_AGGREGATION=yes
RAGATOR_PRESERVE_FIELDS
All aggregation clients have the ability to detect when a flow descriptor would not be
modified during the aggregation process. This is valuable information when attempting to
discover trends. However, some applications may want the resulting output to completely
conform to the new flow definitions. In order to force ragator() like programs to convert
flow descriptions to the new flow model descriptors, set this option to "no".
RAGATOR_PRESERVE_FIELDS=yes
RAGATOR_AUTOCORRECTION
When aggregating Argus records together, all aggregation clients have the ability to
autocorrect the assignment of flow initiator and receiver. This is important for
processing Argus records derived from Cisco Netflow style flow monitors, and for Argus
records that were generated by long lived flows that have extended idle periods. Because
it is possible for ra* aggregation clients to receive half-duplex flow records, or
multiple flow records for the same long live flow, autocorrecting the argus records allows
the client aggregation process to match A -> B and B -> A records that belong to the same
flow.
With certain flow aggregation models, however, the autocorrection logic can cause
aggregation errors. As a result, when providing custom aggregation models, autocorrection
is disabled by default.
If you would like to re-enable the autocorrection function, set this variable to "yes";
RAGATOR_AUTOCORRECTION=no
AGGREGATION CONFIGURATION
Argus record flow descriptors are compared to the flow descriptor matching statements in
sequential, or "fall through", order, much like existing Access Control List definitions
supported by routers, switches and firewalls.
The matching statement references a flow model that is used to modify the flow description
of each Argus record. Records are aggregated based on the modified flow descriptor that
results from applying the flow model that is refererenced in the matching flow descriptor
matching statement.
In each flow descriptor matching statement is a TimeOut period, which is how long the
aggregator will hold the flow cache before reporting it, and an IdleTimeOut period, which
is how long the aggregation process will hold the flow in its cache, if there is no
activity.
If a record doesn't match any statement in the configuration, then it is aggregated based
on its unmodified flow descriptor. This aggregates flow reports from the same long lived
flow.
ARGUS FLOW DESCRIPTOR MATCHING STATEMENT
An Argus flow matching statement specifies values for the network protocol, the network
src and dst addresses, the transport protocol, and for TCP and UDP, the src and dst port
numbers.
The supported network protocol is "ip", which represents IPv4. This field specifies the
type of the other fields in the flow descriptor. Support for arp, dhcp and ipv6 are
expected soon.
The address field can be names, dot '.' notation IPv4 addresses, or CIDR addresse, which
are partial dot '.' notation addresses with a significant field indicator, using either
the ':' or '/' seperators.
Proto field can be any valid IP protocol number, or the keywords, found in the
/etc/protocols file. For systems that do not support /etc/protocols, ragator()
understands 'tcp', 'udp', 'icmp', and 'igmp' tokens on its own.
Port values for 'tcp' and 'udp' flow can be any valid key word in the /etc/services file,
or, of course, actual port numbers which are 16 bit values, between 0 and 65535 (0xFFFF).
When the protocol is 'icmp', the values after the Proto field are valid ICMP type and code
values. Valid icmp types are:
echo
unreach
srcquench
redirect
timexed
timestamp
info
address
Numbers can be specified in decimal or as hex with the 0x prefix.
ARGUS AGGREGATION MODEL SPECIFIERS
Argus flow matching statements reference a specific aggregation model specifier, which
describes how the flow descriptor will be modified prior to aggregation. This entry in
the aggregation configuration, specifies what values will be preserved in the flow
descriptor, and how they should be modified.
When dealing with IP flows, the source and destination address fields can be modified
using mask descriptors. Protocol values and source and destination ports, however, are
simply retained, by specifying "yes", or discarded, by specifying "no".
There can be any number of aggregation model specifiers, but they must have a unique Model
id number.
EXAMPLE
Here is a configuration that aggregates and reports individual transactions twice a day,
but "forgets" each transaction if it has been idle for a full 24 hours.
#label id SAddr DAddr Proto SPort DPort Model Duration Idle
Flow 100 ip * * * * * 200 21600 43200
#label id SAddrMask DAddrMask Proto SPort DPort
Model 200 ip 255.255.255.255 255.255.255.255 yes yes yes
The Flow descriptor matching statement 100 matches all Argus records, because all the flow
descriptor fields are wildcarded, using '*'. Each record will be modified using the Model
200 defintion, which preserves all fields, and the resulting aggregate will be held for
21600 seconds, at which time it will be reported.
While this type of configuration is not likely to aggregate many records, it will be very
good at aggregating long lived single flows, such as persistant ping sessions between
hosts, which can generate a lot of activity data. Since this may not be what you are
really after, we'll present a more complex example.
#label id SAddr DAddr Proto SPort DPort Model Duration Idle
Flow 100 ip * * icmp echo * 300 21600 43200
Flow 102 ip 10:24 10:24 tcp * 80 201 300 300
Flow 103 ip 10:24 * tcp * 80 230 300 300
Flow 104 ip * * tcp * 80 210 300 300
Flow 101 ip * * udp * domain 201 3600 300
Flow 105 ip * * * * * 241 120 300
#TCP and UDP Flow Model Definitions
#label id SAddrMask DAddrMask Proto SPort DPort
Model 201 ip 255.255.255.255 255.255.255.255 yes no yes
Model 210 ip 255.255.255.255 255.255.255.252 yes no yes
Model 230 ip 255.0.0.0 255.255.255.255 yes no yes
Model 241 ip 0.0.0.0 0.0.0.0 yes no yes
# ICMP Flow Model Definitions
#label id SAddrMask DAddrMask Proto Type Code
Model 300 ip 255.255.255.255 255.255.255.255 yes yes yes
Argus records are matched in falling order, so you will test all Argus records against
flow 100, then 101, then 102, and finally 105. Flow Id numbers are used to report syntax
errors in the configuration, and they don't have to be unique.
This configuration is designed to track pings, the clients of tcp services and the server
of udp based DNS services. All other traffic is accounted for either by protocol or
lumped together. Although not a particularly useful configuration, it is an example of
how to architecture your aggregation.
Flow 100 matches all icmp echo (ping) transactions, and indicates that ragator should use
FlowModel 300 to aggregate the ping transactions. The aggregate should be held for 21600
seconds (6 hours) and then reported.
Model 300 is designed to aggregate ICMP transactions without modification. The result
will be that ragator() will aggregate only echo transactions between the same machines.
Very useful for tracking generic connectivity failure between two machines that are
pinging one or the other.
Flow 102 matches all destination port 80 tcp connections where the servers and clients are
both in the 10 network, and aggregates them based on Model 201, holding the aggregate for
5 minutes and then reporting them. This is an example an aggregation scheme that will
report on HTTP sessions (clumps of TCP connections that occur in a short time range)
between individual clients and their servers.
Flow 103 then matches all destination port 80 tcp connections where the clients are from
the 10 network. Model 230 will track the class A address of the clients (net 10) and keep
track of the individual remote servers.
Flow 104 then matches all of the rest of the port 80 tcp connections, which should be
connections into net 10, from non-net 10 clients. Model 210 is designed to track the
traffic to a set of 4 load balanced HTTP servers. Model 210 is designed to track the
clients of services, so the src address goes unmodified (255.255.255.255), but the servers
(dst address) are going to be modifed to represent a subset of the class C network address
(255.255.255.252). basically mask off the last 2 bits in the address. The protocol value
and the dst port (in this case the service port) will be preserved, but the src port is
removed, so the individual TCP connections can be matched.
Flow 102 tracks udp based DNS transactions, aggregating them based on Flow Model 201 and
holding the aggregate for an hour (3600 secs). This strategy reports the aggregate DNS
transactions between each client and server pair. To do this, the Flow Modeler preserves
everything except the source port, which changes on each DNS request.
All other traffic is aggregated based on Flow Model 241 and reported every 12 hours. Flow
Model 241 is designed to track just the protocol, so this will generate Argus Records that
have bytes and packets for TCP and UDP and the other protocols but it will not report the
addresses. This can be useful.
SEE ALSO
ragator(1)
14 November 2001 RAGATOR.CONF(5)